Conficker is still making a nuisance of itself and popping off and on the …

Share this story

The Conficker botnet is proving to be a feisty bit of malware. It may never become a problem of Storm-sized proportions, but Conficker's authors seem determined to keep their system in play. Team White Hat, however, isn't giving up—OpenDNS and Kaspersky Lab announced on Monday, February 9 that they'd be working together to prevent Conficker from spreading once it's infected a network. There are two components to the new approach. First, Kaspersky Labs is capable of predicting what domains Conficker will attempt to contact, while OpenDNS' Botnet Protection feature prevents those domains from resolving internally. The result—at least in theory—is a cooped-up Conficker.

The problem the two companies are trying to address dates back to a new version of Conficker we first covered three weeks ago. Dubbed Conficker.B, the newer model is capable of spreading via USB stick and attempts to crack the passwords of other local systems. Once it has found additional systems to sink its hooks into, Conficker fires up and begins spreading itself across the network; only one system need remain unpatched for an entire network of systems to become infected.

OpenDNS intends to deploy/offer what it's calling its Botnet Protection feature, which will alert network administrators if Conficker's presence is detected. That's where Kasperksy Lab comes in. Kaspersky has cracked Conficker's predicative algorithm and is able to predict which domain names the bot will attempt to register as part of its spam campaigns. OpenDNS is capable of blocking these domains if Conficker should ever put in an appearance, thereby preventing the malware from ever phoning home.

"Despite not introducing any technological innovation, the Conflicker/Kido worm is regarded to be one of the most dangerous IT threats at the moment," said Vitaly Kamluk, Head of Antibotnet Research, Kaspersky Lab. "The worm was supposedly propagated via an existing botnet—this shows how dangerous the integration of two different malicious technologies might be. Speed of reaction in such cases is very important. We are open to all the communities and services that may help here. OpenDNS is one of the leading free and secure online services and we are happy that in this joint effort we can protect OpenDNS users as well."

IBM's X-Force report that we discussed last week also took special notice of Conficker. According to that research team, Conficker was only able to establish itself as a threat thanks to "a small proportion of enterprises (reportedly about 3 in 10) who have turned off automatic Windows Update and operate very long compatibility testing cycles before rolling out security patches...were it not for the addition of secondary propogation methods...this worm may not have become very widespread at all."

OpenDNS' Botnet Protection isn't an antivirus product and isn't meant to replace one, but it's another level of security that could help overworked security admins lock down their networks. Conficker.B is a particularly good example of an infectious agent that needs just one hole (and a bunch of weak passwords) to propogate itself within a network—the more tracking methods available, the better.